WIP: Add access-logs.viewer.yaml #1881
Conversation
|
Skipping CI for Draft Pull Request. |
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
the
size/M
|
/assign @thockin |
|
/assign @nikhita |
| - roles/compute.viewer | ||
| - roles/dns.reader | ||
| - roles/iam.securityReviewer | ||
| - roles/resourcemanager.organizationViewer | ||
| - roles/serviceusage.serviceUsageConsumer |
There was a problem hiding this comment.
I'm not particularly sure which roles may be needed, but would like to start the conversation
| @@ -0,0 +1,24 @@ | |||
| #### generated by generate-role-yaml.sh from specs/access-logs.viewer.yaml | |||
There was a problem hiding this comment.
I don't believe this comment. When I ran ./roles/generate-role-yaml.sh I saw significantly more permissions show up
There was a problem hiding this comment.
That's odd. I had to modify the script to get it to work locally
diff --git a/infra/gcp/roles/generate-role-yaml.sh b/infra/gcp/roles/generate-role-yaml.sh
index 7f5c8aae..4eba7280 100755
--- a/infra/gcp/roles/generate-role-yaml.sh
+++ b/infra/gcp/roles/generate-role-yaml.sh
@@ -68,13 +68,13 @@ function output_role_yaml() {
local spec="${1}"
local title description name include_roles include_permissions include_regex exclude_regex
- title=$(<"${spec}" yq -r .title)
- description=$(<"${spec}" yq -r .description)
- name=$(<"${spec}" yq -r .name)
- mapfile -t include_roles < <(<"${spec}" yq -r '.include? | .roles//[] | .[]')
- mapfile -t include_permissions < <(<"${spec}" yq -r '.include? | .permissions//[] | .[]')
- include_regex=$(<"${spec}" yq -r '.include? | .permissionRegexes//[] | join("|")')
- exclude_regex=$(<"${spec}" yq -r '.exclude? | .permissionRegexes//[] | join("|")')
+ title=$(<"${spec}" yq e -M .title -)
+ description=$(<"${spec}" yq e -M .description -)
+ name=$(<"${spec}" yq e -M .name -)
+ mapfile -t include_roles < <(<"${spec}" yq e -M '.include? | .roles//[] | .[]' -)
+ mapfile -t include_permissions < <(<"${spec}" yq e -M '.include? | .permissions//[] | .[]' -)
+ include_regex=$(<"${spec}" yq e -M '.include? | .permissionRegexes//[] | join("|")' -)
+ exclude_regex=$(<"${spec}" yq e -M '.exclude? | .permissionRegexes//[] | join("|")' -)
local output_path="${output_dir}/${name}.yaml"I'm using mikefarah/yq, not Python yq. To reproduce, the last commit before mine is 5de37c3. I think I must've broken something
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: BobyMCbobs The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
I put my thoughts on how I think we could setup IAM for gcs access logs here: #904 (comment) |
|
@BobyMCbobs With #1966 merged, do we still need this? |
|
We have log access now. I think it's fine to close.
/close
…On Wed, May 5, 2021 at 10:08 AM Arnaud M. ***@***.***> wrote:
@BobyMCbobs <https://github.com/BobyMCbobs> With #1966
<#1966> merged, do we still need
this?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#1881 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAAHUY3W6PNLPIBWA243IYDTMBV7NANCNFSM42RYGMKA>
.
|
|
@hh: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Add role for access-logs viewing.
Related: #1871